ChatZum adware added to VLC on Softonic
Published April 16th, 2013 at 4:44 PM EDT , modified May 2nd, 2013 at 6:37 AM EDT
It was brought to my attention today by an astute reader that there is a copy of VLC, currently being hosted on Softonic, which has had adware added to it. Of course, I had to investigate, and what I found is very concerning. That report turns out to be completely true, and worse, the adware installs components on your system even when you opt out of installing it!
I won’t provide a link to the installer, but it was trivially easy to find on Softonic. It was immediately evident that something was up, as the download contained a single item: an installer, named VLC.pkg. This does not match the contents of the real VLC download, which can be obtained from www.videolan.org.
Running the installer, I was immediately greeted with another warning, indicating that something was wrong. Apple’s Installer app complained that the package was signed with an invalid certificate, and that it may not be what I was expecting:
As I proceeded with the installation, in the face of all these warning signs, I was met with a screen allowing me to opt out of installing ChatZum:
This seemed fairly innocuous so far, as other apps also install such things. Except, of course, that I knew that VLC does not. As I would ordinarily do in such circumstances (assuming that I was inclined to install software that includes such cruft), I disabled the installation of these items, then clicked Continue.
Immediately after doing that, Little Snitch caught the Unix download tool curl calling home to a ChatZum server:
I don’t know what was sent or downloaded, as I did not do detailed packet captures and analysis.
Eventually, after asking for my admin password, the installation was done, and I opened up Safari to check things out. I had been told that the adware would be installed regardless of opting out of the installation, and it turned out that this was true, in part. I immediately noticed that my search engine had been changed to ChatZum:
I opened Safari’s preferences, and noticed two rather surprising things. I expected to see that my home page and/or my search engine settings had been changed, but they were still set to the same default values that they had been before. I also checked out the Extensions pane of Safari’s preferences, and was further surprised to find nothing there!
This was a bit of a mystery now, so I dug a bit deeper. I found that there were several things installed. First was a pair of files placed in the /Library/Internet Plug-Ins/ folder, named uid.plist and zako.plugin. These did not seem to be responsible, as removing them made no difference in the search engine being used by Safari.
I then discovered that it had also installed SIMBL, a bit of legitimate third-party software that allows modifications to Mac OS X applications through SIMBL plug-ins. Sure enough, not only was SIMBL installed, but there was a SIMBL plug-in named SafariOmnibar.bundle in the /Library/Application Support/SIMBL/Plugins/ folder. Looking in Activity Monitor, the SIMBL Agent process could be seen, being kept alive by a LaunchAgent named net.culater.SIMBL.Agent.plist in /Library/LaunchAgents/. Disabling SIMBL Agent brought Safari back to its senses.
Interestingly, there was also an item named ChatZumUninstaller.pkg that had been placed in the Applications folder. Upon running it, on a fresh and un-tampered-with copy of the software, I found that it did indeed remove SIMBL and all evident signs that ChatZum was installed. However, it left the uid.plist and zako.plugin files in place, so it obviously didn’t remove everything.
I also ran the installer without opting out of ChatZum installation. The result was mostly the same, except for the addition of a ChatZum extension to Safari, and changing of the home page to search.chatzum.com.
What is still unclear is where this rogue installer came from, and how it got on Softonic. One highly concerning thought is that Softonic may be wrapping some applications in custom installers, in order to include adware that will profit Softonic. This technique has been used in the past by less-reputable download sites, such as Download.com, so that would not be particularly surprising. Still, even if this is not the direct action of Softonic, it certainly does show that downloading software from such sites is hazardous, and that you cannot guarantee what you’re going to get. I strongly advise never downloading software from sites like Download.com or Softonic. There’s no reason to subject yourself to such ad-riddled sites and risk the addition of adware or other undesired content to your download.
Removal Instructions
To remove ChatZum, if you have installed this modified copy of VLC, first open Safari’s preferences. In the General pane, change the Homepage setting to whatever page you want to use. Then go to the Extensions pane, select the ChatZum extension and click the Uninstall button. (If you use Firefox or Chrome, you will need to do the same thing there. Chrome’s extensions can be managed from the Extensions link on the settings page. Firefox extensions can be managed by going to Tools -> Add-ons, then selecting Extensions in the list.)
(Note that, as mentioned earlier, if you opt out of installing ChatZum, there won’t be an extension installed. So if you don’t find one, just move on to the next steps.)
Once that is done, you need to manually delete a few files. First, open your applications folder and delete the following items:
ChatZumUninstaller.pkg VLC.app
Next, choose Go -> Go to Folder in the Finder (or press command-shift-G) and enter “/Library” in the box (without the quotes), then click Go. In that folder, find and delete the following items:
Application Support/SIMBL/Plugins/SafariOmnibar.bundle Internet Plug-Ins/uid.plist Internet Plug-Ins/zako.plugin
(Note that I am including the VLC app on the list of things to remove, as I don’t know at this time if it is the “real” VLC app or not.)
After deleting these files, make sure to quit Safari and reopen it, otherwise the changes will not take effect immediately.
You will probably also want to remove SIMBL, which can cause problems, since it allows all manner of unexpected modifications to applications. If you did not have SIMBL installed already, and want to get rid of it, while still looking in the same Library folder as above, remove the following files:
Application Support/SIMBL/ LaunchAgents/net.culater.SIMBL.Agent.plist ScriptingAdditions/SIMBL.osax
Updates
I was contacted today by Ezequiel Galli from Softonic. He apologized for “the bug where some users have had their default search changed to ChatZum even if they opted out of the toolbar installation” (to quote his words). However, he also said, “In this case, we were testing an Installer for Mac on selected software and thanks to your post and other users information, we have immediately stopped the distribution of this installer until our provider corrects the error.” This indicates, to me, that Softonic does not see a problem with adding their own adware to freeware programs. I have a very serious problem with that behavior, and am still recommending boycotting Softonic. It seems they have not learned their lesson.
He also provided a link to the following removal instructions:
http://support.softonic.com/index.php?/english/Knowledgebase/Article/View/425/35/how-to-uninstall-zako-and-monotizer
It’s important to note, though, that these instructions do not work completely. Since they rely on the ChatZumUninstaller.pkg file, following these instructions will leave behind the uid.plist and zako.plugin files, as mentioned above.
Intego has also posted their own comments on the matter today, and have classified these ChatZum installers as an adware trojan, naming it OSX/Okaz.A.
Tags: adware, ChatZum, Softonic
44 Comments
This post is more than 90 days old and has been locked. No further comments are allowed.
THANKYOU!!
Thank youuuuuu!!!
Great post, thanks…
Thanks a lot!
Thanks! It was also added to UnRarX on Softronic
sorry, but how do you delete those ‘library/…’ files?
There seems to have been some confusion as to how to find the proper Library folder, so I made some changes that will hopefully make it clearer.
I followed your steps, does this mean its completely gone? Although im not sure how i got it. I have vlc installed a very long time ago. This just suddenly popped up. I did download a bitorrent installer a few days ago…how can i double check to make sure its complety off my mac?
hi i got this **** **** chatzum when i downloaded unrax wish i could punch the **** who make it I’ve tried the above but nothing hase come up in extenshions it empty and i cant find libary please help me rid the ****
Thank you very much for this post – I’ve been pulling my hair out over this. Neither ClamXav or Nortons picked this up, is this correct?
Nothing picked it up initially. Some anti-virus programs are starting to detect it, though I wouldn’t count on Norton being one of them. Its definitions on the Mac lag far behind most.
Reference AV programs, can you recommend one to use? I’m a newbie so any help would be much appreciated.
See my Mac Malware Guide.
Excellent read – can’t thank you enough for all your help. Have forwarded this information to friends.
Thank you so much for this.
Excellent post. Genuine thanks for this.
I am trying to uninstall this program after installing the bloated VLC player. When I go to the extensions tab in the Safari preferences, nothing shows up. We know the program is on the computer as chatzum shows up when we search. I want to make sure to completely get rid of these files. What should I do if the extension does not show up?
Yup, as the article mentions, the extension does not get installed if you choose to “opt out” of installing ChatZum. Continue with the directions and remove all of the rest of the files.
Thank you very much! Everything seems back to normal. I must have missed the part about the extension in the article when I was in panic mode.
Mr. Thomas,
I´m writting you from Spain and I want to THANK YOU A LOT, A LOT, A LOT for your post. Finally I could get rid of CHATZUM…
I was working on it, trying to find information to uninstall this chatzum, but for mac users there wasn´t nothing that could really help to it, until I found your article.
It was very helpful!!!!!! instead, I didn´t know what to do
THANKS AGAIN AND AGAIN
Please keep helping with your articles!
Hello Thomas,
softonic always do this. Is part of the marketing strategy. This time was the time of MAC users but happens all the time with every file or installer or whatever coming form and then. Once he done the move, they carefully monitor the Internet looking for deactivate complains. Comes to apologize.
Several friends who wrote on blogs about babylon were contacted by softonic to in order to “help and to explain it’s not malware” and to apologize.
The only purpose of this company is to install his own hiden software and make money with that
thx heaps!!! it worked
Browser hijacking is a serious problem on Windows computers, and they are impossible to get rid of. That’s one of the reasons that I switched to Mac, only to find out that ChatZum hijacked my Safari. However, your explanation of how to get rid of it is clear and concise, and it worked! Thank you very much!
So, by “cruft,” I assume you mean something along the lines of “junk?”
Yes.
I guessed as much, although I wanted confirmation. Thanks!
Softonic needs to be sued out of existence. You do NOT do this to Mac users.
No, you do not do this to ANY users.
Can you help me please, when I went to the extension folder there was nothing in there. I’m pretty new to using Mac so I have no idea how to remove chatzum on my own!
As mentioned in the article, the extension is not always installed. If you don’t find the extension, continue with the rest of the instructions.
thanks for providing this helpful guide
Thank you so much, this was a huge help. I’d been going nuts trying to get rid of Chatzum. I have no idea how it ended up on my system (I don’t have VLD currently) but I’m glad to see it go.
You may have gotten it from some other Softonic installer thingy…
Thank you!!!!!!!
Thank you SO much! You are an absolute life saver! I’ve been freaking out about it and now it’s gone. THANK YOU THANK YOU THANK YOU! Oh, and thanks for the link to the real VLC 🙂
how about Cnet.com? are they safe?
I mean http://download.cnet.com/mac/
That’s what I referred to as Download.com, they have done the same kind of thing at some point in the past.
Tobi, here’s a tip: Download from only two places: the Mac App Store and the official developer website.
Here I am sitting at my computer in appreciation and gratitude to your help and expertise. After following your sound advice, the chatzum annoyance is NO LONGER!! Hooray!!!
I am all for being educated and now have learned the lesson in scrutinizing any downloads before initiating.
Needless to say, I am very grateful for your advice and taking the time to give it including the expeditious response.
Regards
Stuart
Thomas, do you know whether the apps Softonic is ChatZumifying are the legit apps or not?
They appeared to be, they just carried extra baggage along with them. Note, though, that as far as I know, Softonic isn’t doing this anymore. However, I still wouldn’t trust them as far as I could throw their server farms! 🙂 My contact with a Softonic rep indicates that they don’t see anything wrong with what they did. I strongly advise avoiding Softonic altogether.
Oh, for sure. I do not, have not, and will not ever have any intention of downloading from anywhere other than the App Store and the official website.
And what’s a server farm, and approximately how much does it weigh? 🙂
VLC IS JUST ONE OF MANY ADWARE INFECTED APPS HOSTED SOFTTONIC………
E.G. CHECK THE RAR.DMG WINRAR FOR MAC ON SOFTTONIC….
😉